public string GetCommandLine()
{
PROCESS_BASIC_INFORMATION pbi;
int size;
NtQueryInformationProcess(pGame.Handle, 0, out pbi, Marshal.SizeOf(typeof(PROCESS_BASIC_INFORMATION)), out size);
IntPtr pebAddress = (IntPtr)pbi.PebBaseAddress;
String commandLine = null;
if ((uint)pebAddress != 0)
{
byte[] PEBData;
ReadBytes(pebAddress, Marshal.SizeOf(typeof(PEB)), out PEBData);
PEB peb = ByteArrayToStructure <PEB>(PEBData);
IntPtr infoblkAddr = (IntPtr)peb.InfoBlockAddress;
byte[] data;
ReadBytes(infoblkAddr, Marshal.SizeOf(typeof(INFOBLOCK)) * 100, out data);
INFOBLOCK infoBlock = ByteArrayToStructure <INFOBLOCK>(data);
byte[] commandlineString;
ReadBytes(infoBlock.commandLineAddress, 0x1000, out commandlineString);
commandLine = Encoding.Unicode.GetString(commandlineString);
try
{
commandLine = commandLine.Substring(0, commandLine.IndexOf("\0"));
}
catch
{
commandLine = "";
}
}
return(commandLine);
}
/// <summary>
/// Program entry point.
/// </summary>
/// <param name="args">Command line arguments.</param>
static void Main(string[] args)
{
Span <byte> asm = stackalloc byte[10] {
0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, // MOV RAX, GS:[0x60]
0xC3 // RET
};
IntPtr PEBAddressPtr = IntPtr.Zero;
lock (Mutex) {
using MemoryMappedFile MemoryMap = MemoryMappedFile.CreateNew(null, asm.Length, MemoryMappedFileAccess.ReadWriteExecute);
MemoryMappedViewAccessor MemoryMapAccessor = MemoryMap.CreateViewAccessor(0, asm.Length, MemoryMappedFileAccess.ReadWriteExecute);
// Get address of the memory region
IntPtr RWXRegionAddressPtr = MemoryMapAccessor.SafeMemoryMappedViewHandle.DangerousGetHandle();
Debug.Assert(RWXRegionAddressPtr != IntPtr.Zero, "[-] Error while retrieving the address of the RWX memory region.");
// Inject code
Marshal.Copy(asm.ToArray(), 0, RWXRegionAddressPtr, asm.Length);
Debug.Assert(Marshal.ReadByte(RWXRegionAddressPtr, 0) == 0x65, "[-] Error while injecting code.");
Debug.Assert(Marshal.ReadByte(RWXRegionAddressPtr, 9) == 0xC3, "[-] Error while injecting code.");
// Get delegate
GetPEBDelegate GetPEB = Marshal.GetDelegateForFunctionPointer <GetPEBDelegate>(RWXRegionAddressPtr);
PEBAddressPtr = GetPEB();
Debug.Assert(PEBAddressPtr != IntPtr.Zero, "[-] Error while retrieving the address of the PEB structure.");
}
// Pull the structure out of memory
PEB _PEB = Marshal.PtrToStructure <PEB>(PEBAddressPtr);
Debug.Assert(_PEB.Equals(default(PEB)), "[-] Error while pulling out the structure from memory");
}
}
/// <summary>
/// Program entry point.
/// </summary>
/// <param name="args">Command line arguments.</param>
static void Main(string[] args)
{
Span <byte> asm = stackalloc byte[10] {
0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00, // MOV RAX, GS:[0x60]
0xC3 // RET
};
// Allocate memory
IntPtr lpAddress = VirtualAlloc(IntPtr.Zero, asm.Length, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
Debug.Assert(lpAddress != IntPtr.Zero, "[-] Error while allocating memory: kernl32!VirtualAlloc.");
// Write asm in memory
Marshal.Copy(asm.ToArray(), 0, lpAddress, asm.Length);
// Change memory permissions
Int32 lpflOldProtect = 0;
bool success = VirtualProtect(lpAddress, asm.Length, PAGE_EXECUTE_READ, ref lpflOldProtect);
Debug.Assert(success || lpflOldProtect == 4, "[-] Error while changing the memory permissions of the allocation memory.");
// Create delegate
GetPEBDelegate GetPEB = Marshal.GetDelegateForFunctionPointer <GetPEBDelegate>(lpAddress);
IntPtr PEBAddressPtr = GetPEB();
Debug.Assert(PEBAddressPtr != IntPtr.Zero, "[-] Error while retrieving the address of the PEB structure.");
// Pull the structure out of memory
PEB _PEB = Marshal.PtrToStructure <PEB>(PEBAddressPtr);
Debug.Assert(_PEB.Equals(default(PEB)), "[-] Error while pulling out the structure from memory");
}
}
public GameSharpProcess(Process process)
{
Native = process ?? throw new NullReferenceException("process");
NativeHandle = Native.Handle;
MainModule = Native.MainModule;
Is64Bit = IntPtr.Size == 8;
PEB = new PEB(this);
}
private GameSharpProcess()
{
ExceptionService.Initialize();
Native = Process.GetCurrentProcess();
NativeHandle = Native.Handle;
MainModule = Native.MainModule;
Is64Bit = IntPtr.Size == 8;
PEB = new PEB(this);
}
/// <summary>
/// Anti-anti-debugging methods are placed in here
/// </summary>
private void HideDebugger()
{
PEB peb = Process.PEB;
if (peb.IsValid)
{
//peb.BeingDebugged = false;
//peb.NtGlobalFlag = 0;
}
}
private static string[] TestGetProcessWorkingDirectory(string image)
{
List <string> ret = new List <string>();
Process[] ps = Process.GetProcessesByName(image);
foreach (Process p in ps)
{
Console.WriteLine($"{p.ProcessName} pid: {p.Id}");
IntPtr handle = OpenProcess(p, ProcessAccessFlags.All);
IntPtr pPbi = Marshal.AllocHGlobal(PROCESS_BASIC_INFORMATION.Size);
IntPtr outLong = Marshal.AllocHGlobal(sizeof(long));
Console.WriteLine($"handle: {handle}");
int _ = NtQueryInformationProcess(handle, 0,
pPbi, (uint)PROCESS_BASIC_INFORMATION.Size, outLong);
if (_ != 0)
{
Console.WriteLine($"Error {ret}");
break;
}
PROCESS_BASIC_INFORMATION pbi = Marshal.PtrToStructure <PROCESS_BASIC_INFORMATION>(pPbi);
Console.WriteLine($"peb: {pbi.PebBaseAddress}");
IntPtr pPeb = Marshal.AllocHGlobal(PEB.Size);
ReadProcessMemory(handle, pbi.PebBaseAddress, pPeb, PEB.Size, outLong);
PEB peb = Marshal.PtrToStructure <PEB>(pPeb);
IntPtr pUpp = Marshal.AllocHGlobal(RTL_USER_PROCESS_PARAMETERS.Size);
ReadProcessMemory(handle, peb.ProcessParameters, pUpp, RTL_USER_PROCESS_PARAMETERS.Size, outLong);
RTL_USER_PROCESS_PARAMETERS upp = Marshal.PtrToStructure <RTL_USER_PROCESS_PARAMETERS>(pUpp);
IntPtr pStr = Marshal.AllocHGlobal(upp.CurrentDirectoryPath.Length + 2);
RtlZeroMemory(pStr, upp.CurrentDirectoryPath.Length + 2);
ReadProcessMemory(handle, upp.CurrentDirectoryPath.Buffer, pStr, upp.CurrentDirectoryPath.Length, outLong);
string cwd = Marshal.PtrToStringUni(pStr);
if (!String.IsNullOrEmpty(cwd))
{
ret.Add(cwd);
}
Console.WriteLine($"cwd: {cwd}");
CloseHandle(handle);
Console.WriteLine();
}
return(ret.ToArray());
}
private static List <string> GetProcessWorkingDirectoriesByImageName(string image)
{
List <string> result = new List <string>();
Process[] ps = Process.GetProcessesByName(image);
foreach (Process p in ps)
{
IntPtr handle = OpenProcess(p);
IntPtr pPbi = Marshal.AllocHGlobal(PROCESS_BASIC_INFORMATION.Size);
IntPtr outLong = Marshal.AllocHGlobal(sizeof(long));
int ret = NtQueryInformationProcess(handle, 0,
pPbi, (uint)PROCESS_BASIC_INFORMATION.Size, outLong);
if (ret != 0)
{
continue;
}
PROCESS_BASIC_INFORMATION pbi = Marshal.PtrToStructure <PROCESS_BASIC_INFORMATION>(pPbi);
IntPtr pPeb = Marshal.AllocHGlobal(PEB.Size);
ReadProcessMemory(handle, pbi.PebBaseAddress, pPeb, PEB.Size, outLong);
PEB peb = Marshal.PtrToStructure <PEB>(pPeb);
IntPtr pUpp = Marshal.AllocHGlobal(RTL_USER_PROCESS_PARAMETERS.Size);
ReadProcessMemory(handle, peb.ProcessParameters, pUpp, RTL_USER_PROCESS_PARAMETERS.Size, outLong);
RTL_USER_PROCESS_PARAMETERS upp = Marshal.PtrToStructure <RTL_USER_PROCESS_PARAMETERS>(pUpp);
IntPtr pStr = Marshal.AllocHGlobal(upp.CurrentDirectoryPath.Length + 2);
RtlZeroMemory(pStr, upp.CurrentDirectoryPath.Length + 2);
ReadProcessMemory(handle, upp.CurrentDirectoryPath.Buffer, pStr, upp.CurrentDirectoryPath.Length, outLong);
string cwd = Marshal.PtrToStringUni(pStr);
if (!String.IsNullOrEmpty(cwd))
{
result.Add(cwd);
}
CloseHandle(handle);
}
return(result);
}
public static bool Apply(IntPtr hProcess, string path = null, string cmdLine = null, string CurrentDirectoryPath = null)
{
if (hProcess == null ||
hProcess == IntPtr.Zero)
{
return(false);
}
try
{
// default Varametrs
uint len;
// get PROCESS_BASIC_INFORMATION
var info = new PROCESS_BASIC_INFORMATION();
NtQueryInformationProcess(hProcess, 0, out info, (uint)Marshal.SizeOf(typeof(PROCESS_BASIC_INFORMATION)), out len);
// get PROCESS_BASIC_INFORMATION
var peb = new PEB();
ReadProcessMemory(hProcess, info.PebBaseAddress, (IntPtr)(&peb), (uint)Marshal.SizeOf(typeof(PEB)), out len);
// get RTL_USER_PROCESS_PARAMETERS
var psParam = new RTL_USER_PROCESS_PARAMETERS();
ReadProcessMemory(hProcess, peb.ProcessParameters, (IntPtr)(&psParam), (uint)Marshal.SizeOf(typeof(RTL_USER_PROCESS_PARAMETERS)), out len);
// patch
WriStr(hProcess, ref psParam.ImagePathName, path);
WriStr(hProcess, ref psParam.CommandLine, cmdLine);
WriStr(hProcess, ref psParam.CurrentDirectoryPath, CurrentDirectoryPath);
// reflecet Changes
return
(WriteProcessMemory(hProcess, peb.ProcessParameters, (IntPtr)(&psParam), (uint)Marshal.SizeOf(typeof(RTL_USER_PROCESS_PARAMETERS)), out len));
}
catch (Exception)
{
return(false);
}
}
